Capture environment variables

edit

You can configure an Elastic Agent policy to capture up to five environment variables (env vars).

  • Env var names must be no more than 63 characters, and env var values must be no more than 1023 characters. Values outside these limits are silently ignored.
  • Env var names are case sensitive in Linux.

To set up environment variable capture for an Elastic Agent policy:

  1. Go to Security → Manage → Policies.
  2. Select an Elastic Agent policy.
  3. Click Show advanced settings.
  4. Scroll down or search for linux.advanced.capture_env_vars.
  5. Enter the names of env vars you want to capture, separated by commas. For example: PATH,USER
  6. Click Save.
The "linux.advanced.capture_env_vars" advanced agent policy setting

Find captured environment variables

edit

Captured environment variables are associated with process events, and appear in each event’s process.env_vars field.

To view environment variables in the Events table:

  1. Click the Events tab on the Hosts, Network, or Users pages (Security → Explore), then click Fields in the Events table.
  2. Search for the process.env_vars field, select it, and click Close. A new column appears containing captured environment variable data.
The Events table with the "process.env_vars" column highlighted